mjpegdec: parse RSTn to prevent skipping other data in mjpeg_decode_scan

Check explicitly if enough bits are left to prevent an infinite loop when the bitstream buffer is not followed by zero-padding. Based on patches by Michael Niedermayer <michaelni@gmx.at>.
2024-11-21 10:55:51 +02:00 · 2012-01-05 03:47:21 +01:00 · 2012-01-05 03:47:21 +01:00 · e268a352af
commit e268a352af
parent 5e5cde2745
1 changed files with 16 additions and 8 deletions
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@ -881,14 +881,22 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i
                }
            }

-            if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */
-                --s->restart_count;
-                align_get_bits(&s->gb);
-                while(show_bits(&s->gb, 8) == 0xFF)
-                    skip_bits(&s->gb, 8);
-                skip_bits(&s->gb, 8);
-                for (i=0; i<nb_components; i++) /* reset dc */
-                    s->last_dc[i] = 1024;
+            if (s->restart_interval) {
+                s->restart_count--;
+                i = 8 + ((-get_bits_count(&s->gb)) & 7);
+                /* skip RSTn */
+                if (show_bits(&s->gb, i) == (1 << i) - 1) {
+                    int pos = get_bits_count(&s->gb);
+                    align_get_bits(&s->gb);
+                    while (get_bits_left(&s->gb) >= 8 && show_bits(&s->gb, 8) == 0xFF)
+                        skip_bits(&s->gb, 8);
+                    if ((get_bits(&s->gb, 8) & 0xF8) == 0xD0) {
+                        for (i = 0; i < nb_components; i++) /* reset dc */
+                            s->last_dc[i] = 1024;
+                    } else {
+                        skip_bits_long(&s->gb, pos - get_bits_count(&s->gb));
+                    }
+                }
            }
        }
    }